Fixed Prometheus permission error

[clayrisser]

Fixes issue #776

[rawmind0]

Hi @codejamninja ... thanks for the PR...

which docker version are you using to test prometheus?? Using local as volume driver and docker 17.03.1-ce, Prometheus is working fine, volumes get correct permissions to nobody/nogroup user...

$ ls -la /prometheus
total 24
drwxr-xr-x   36 nobody   nogroup      12288 Jun 11 14:14 .
drwxr-xr-x    1 root     root            39 Jun 11 14:08 ..
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK52MF8J871H8SJP375BHM
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK53EEWYNAVYH7HJ3Q398E
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK57N0JXND4FQSRY0S01JC
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5835ZGX8326X7BRX6JKJ
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK58M43XNAREA1XF4HS4KH
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5929VZZ52Y16J58RTVEX
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5A10DGB3CTE398ZN5T2F
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5AGHRXVETBWMAE23EFDY
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5AYZXYW2CNZ768DW05RD
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5BFMBPTE5FQKCSFMRXZ3
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5BYJ158C95FQRDV5JEZ6
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5CC2TRZ0A28AVTTRQWR7
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5CVG45QDEP5SFYW3B74G
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5DGJQYDGSZ8MXVGJESPM
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5DZAN6RKMMTDK56G7RB3
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5EF543WXD715JGKQ3WHD
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5F5W0E257CKG61KWMG9W
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5FPM16Y3ZXH89H0J5M0Y
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5G3BEH0FASCEY6S7HZ4W
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5GGEEC1JRCXJ81DQJDH6
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5GY6V9B0PHFX0EH1MP1T
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5HDXYR8XWHYNHFQ39KFH
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5HXN0RTC6VH306MS42GM
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5JEX14FR2CZQZWCX84GK
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5JV38JA3JBTAK00GYANG
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5KAH3KVP065METPM2DJN
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5KR1THXRZY0QW614QS1H
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5MEJSW4E0ERCEW80DKBP
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5N0DRQQRCN0FHF6VWDZW
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5NH8DX1GSSHGEZEBC83H
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5P1213NZN3JM9W7JBTS5
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5PK0T5ETS9A6R4E20PBJ
drwxr-xr-x    3 nobody   nogroup         68 Jun 11 14:14 01CFQK5Q19XHTXFFGCBB97EAGD
-rw-r--r--    1 nobody   nogroup       4932 Mar 25 18:43 index.html
-rw-------    1 nobody   nogroup          2 Jun 11 14:08 lock
drwxr-xr-x    2 nobody   nogroup         34 Jun 11 14:13 wal

[clayrisser]

I don't remember

[clayrisser]

I just know this fixed it

[rawmind0]

It seems issue is not in all docker versions. Yeah, this could fix the issue, but i'm not pretty sure if it's the best way to solve it. Prometheus doesn't recommend to run it as root. I think would be better approach to assure that volume has correct permissions for nobody/nogroup instead run prometheus as root. What do you think??

[clayrisser]

I would agree with you, except not all docker volume drivers give you the capability to do that.

[clayrisser]

Also, docker is made to be run as root. It's a sandboxed environment. It's not at all the same things as running your server as root.

[rawmind0]

I would agree with you , but software provider doesn't recommend to run it as root. What do you think if we provide one of these solutions??

• add a question in rancher-compose that you could select user, and set user: ${PROMETHEUS_USER} on prometheus service.

+  - variable: "PROMETHEUS_USER"
+    label: "Prometheus user"
+    description: "User to run prometheus. Use root user if you have permission issues with docker volume"
+    default: "nobody"
+    required: true
+    type: enum
+    options:
+      - nobody
+      - root

• add a sidekick to set correct permissions for nobody on docker volume, and add it as sidekick and volumes_from: on prometheus service.

+prometheus-data:
+  network_mode: none
+  labels:
+    io.rancher.scheduler.affinity:container_label_soft_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name}
+    io.rancher.container.hostname_override: container_name
+    io.rancher.container.start_once: true
+  environment:
+    - SERVICE_UID=65534
+    - SERVICE_GID=65534
+    - SERVICE_VOLUME=/prometheus
+  volumes:
+    - prometheus-data:/prometheus
+  volume_driver: ${VOLUME_DRIVER}
+  image: rawmind/alpine-volume:0.0.2-1

[clayrisser]

Ah, yes, very nice compromise

[cjellick]

Closing this due to staleness. Feel free to reopen or open a new PR if there's still a relevant change to be made. Thanks!